ThirdSpace ThirdSpace
ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
09 April 2019

Microsoft Defender: Exploring Microsoft’s advanced threat protection technologies

  • Cyber security
Mathew Richards

The Microsoft 365 Defender suite of technologies offer powerful solutions to protect, detect and respond to threats to your organisation.

Microsoft has been developing their portfolio of security technologies at a rapid pace over the last few years and they’re not slowing down!

I think it’s fair to say that Microsoft, given the adoption of services such as Office 365, Windows 10 and Azure, are in a unique position. Having access to the telemetry, and being able to build security solutions natively into their services, presents a great opportunity to provide enhanced security capabilities.

Microsoft offer several advanced threat technologies that focus on specific areas within your IT environment. Individually, they provide advanced protection, but together they give you the highest possible level of protection – enabling you to see the complete chain of events during an attack.

We often see confusion around these technologies – especially since Microsoft rebranded Microsoft Threat Protection and the advanced threat protection technologies included within it. As a result, some think Microsoft 365 Defender is a single technology and others are not clear on what it actually covers.

This blog will aim to clarify the technologies included in Microsoft 365 Defender and what they offer. Understanding this is critical when developing your security strategy.

 

Exploring the three Microsoft Defender technologies

Let’s dig into what the Microsoft Defender technologies are and what they each bring to the table.

There are three key Defender technologies:

  • Microsoft Defender for Endpoints (previously known as Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection)
  • Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection)

Microsoft Defender for Endpoints

Microsoft Defender for Endpoints is a technology that, unsurprisingly, focuses on your endpoints. Specifically your desktop devices and your Windows servers.

The technology is built into Windows 10 and requires only policy to be deployed to activate it – on Windows 7 and above (including Server), it requires agent software to be deployed.

Microsoft has made it clear that their key focus is on enabling Windows Defender for Endpoints in Windows 10 and have provided the capability on down-level operating systems to ensure that you have complete coverage during your migration to Windows 10.

Microsoft Defender for Endpoints is Microsoft’s offering in the Endpoint Detection and Response (EDR) area.

Microsoft Defender for Endpoints provides detailed monitoring of your endpoints and aims to detect known or suspected malicious activities. This capability is based on intelligence provided through the Microsoft Security Graph, which is continuously updated with new intelligence and machine learning knowledge.

Couple Microsoft Defender for Endpoints with the security components of Windows 10, such as Exploit Guard and Windows Defender, and you have comprehensive threat protection to protect your endpoints. Malicious processes and actors will typically gain access to your environment by exploiting your endpoints.

Microsoft Defender for Endpoints also provides automated investigation activities that reach out to various endpoints to gain further insight into the suspicious activity. This greatly reduces the time taken to investigate and enables you to get to the root cause quickly and more efficiently.

Microsoft Defender for Endpoints is managed and monitored through a cloud-based portal that provides additional visibility such as risk posture, recommended configuration changes and the ability to create security tasks that your IT admins can then action.

You’ll also benefit from regularly added new features and improvements, such as the addition of web content filtering. Whilst this originally required an additional partner license, Microsoft has now included it within Defender for Endpoints as standard.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a threat protection technology that protects e-mails and data contained within Office 365 in places like SharePoint Online, Teams and OneDrive for Business. Its aim is to provide zero-day protection against malware.

It works by analysing files within a detonation chamber to try and understand what the file would do when a user opens it. If it detects suspicious activities it will block the file.

“Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data.”

Included within the solution is the ability to protect users against malicious URLs or web links within an e-mail or document. It achieves this by referencing a database of known malicious sites. If the link is proven to be malicious, it will block the end user from getting to the destination. In addition, Microsoft Defender for Office 365 will analyse any files referenced by these links in the same way.

Microsoft Defender for Office 365 also includes protection against phishing attacks. It uses extensive machine learning models to understand when and who you typically communicate with to detect impersonation attempts.

Phishing attacks are on the rise and can be very effective in encouraging end users to surrender their credentials or other types of data. Having protection in place to help mitigate this risk is an important part of your security strategy.

Webinar: Understanding Advanced Threat Protection (ATP)

Watch on-demand for a breakdown of each ATP technology and discover how to:

  • Protect email, files and apps against attacks
  • Proactively detect attacks and zero-day exploits
Watch on-demand now

Microsoft Defender for Identity

Microsoft Defender for Identity predominately focuses on protecting your identities. It’s a cloud-based solution with some on-premises components (typically agents) that aim to analyse the information that flows to and from your local Active Directory domain controllers.

It’s also integrated with the Microsoft Security Graph (as it’s cloud-based) meaning that it benefits from wider security telemetry and intelligence.

“When activities occur that are out of the norm, alerts are generated for further investigation.”

It will alert you to typical attack techniques, such as ‘pass the hash’ or ‘pass the ticket’ – techniques that attackers use to move laterally within your organisation.

Microsoft Defender for Identity also alerts you to uncharacteristic user activities. It achieves this by building detailed activity models that describe a user’s normal behaviour. When activities occur that are out of the norm, alerts are generated for further investigation.

Microsoft Defender for Identity is Microsoft’s offering in the User and Entity Behavioural Analytics (UEBA) area.

Microsoft continually adds new detections to Defender for Identity as new malicious techniques are discovered.

 

Conclusion

Hopefully, you now understand what the Microsoft Defender technologies are and what they aim to do.

Whilst they are powerful technologies in their own right, they become even more powerful when you use them all together. This way they can share data and perform activities to prevent further attacks.

An example of this is where Microsoft Defender for Endpoints detects and confirms a malicious process, it will seek and destroy the processes and inform Microsoft Defender for Office 365 to retrospectively remove the originating piece of malware from users’ mailboxes. From an investigative perspective, you can also view activities throughout the attack chain, giving you the insight you need to deal with the incident.

Microsoft continues to add new technologies to their security suite, such as their cloud-native SIEM solution, Azure Sentinel.

Azure Sentinel can consume and aggregate signals from almost all systems and provide added layers of machine learning and artificial intelligence to ensure that you only receive alerts that you need to take action on. Furthermore, you can automate responses to these to enable you to react quickly in the event of a security-related incident.

Key takeaways

  • Microsoft 365 Defender is the new name for Microsoft Threat Protection
  • The Microsoft Defender technologies cover identity, endpoints and Office 365
  • Though powerful individually, their true strength lies in their ability to communicate with each other
  • Utilising all three provides complete coverage across your IT environment
  • Bring Azure Sentinel into the mix to collect all that security data into one place for analysis and remediation

Next steps

Clickable CTA with report page previews, links to security and privacy scorecard.

You may also like...

Blog

The key to SOCcess – 5 things you need to consider for improved threat monitoring and response

Blog

What is a security operations centre (SOC)?

Blog

Identify, analyse and remediate: What is Microsoft 365 Defender?

Recent Blog Articles

View All
Author
Mathew Richards
Head of Mobility & Security
Learn More

Get in touch

We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.